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Summary 

P.L. 104-191, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), directed 
HHS to adopt standards to facilitate the electronic exchange of health information for certain 
financial and administrative transactions. The HIPAA Privacy Rule was adopted by HHS as the 
national standard for the protection of individually identifiable health information. It regulates the 
use and disclosure of protected health information by health plans, health care clearinghouses, 
and health care providers who transmit financial and administrative transactions electronically; 
establishes a set of basic consumer protections; permits any person to file an administrative 
complaint for violations; and authorizes the imposition of civil or criminal penalties. Enforcement 
of the Privacy Rule began in 2003. 

On March 16, 2006, the Final HIPAA Administrative Simplification Enforcement Rule went into 
effect. The Enforcement Rule has both procedural and substantive provisions, and is applicable to 
all HIPAA administrative simplification standards. The Enforcement Rule establishes procedures 
for the imposition of civil money penalties on entities that violate rules adopted by the Secretary 
to implement the Administrative Simplification provisions of HIPAA. It also amends existing 
rules relating to the process for imposition of civil money penalties, and clarifies the investigation 
process, the bases for liability, determination of the penalty amount, grounds for waiver, conduct 
of the hearing, and the appeal process. 

Lawmakers and others are examining the statutory and regulatory framework for enforcement of 
the HIPAA Administrative Simplification standards, and ways to ensure that agencies use their 
enforcement authority to the fullest extent under HIPAA to address improper uses and disclosures 
of protected health information. The privacy and security of health information is also recognized 
as a critical element of transforming the health care system through the use of health information 
technology. For further information on this topic, See CRS Report RS 22760, Electronic Personal 
Health Records , by Gina Marie Stevens. 

This report discusses enforcement of the HIPAA administrative simplification provisions by HHS 
and DOJ, and provides an overview of the HIPAA Administrative Simplification Enforcement 
Rule. This report will be updated when warranted. 
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Background 

In 1996, Congress enacted the Health Insurance Portability and Accountability Act of 1996 
(HIPAA) 1 to “improve portability and continuity of health insurance coverage in the group and 
individual markets.” 2 Congress enacted HIPAA to guarantee the availability and renewability of 
health insurance coverage and limit the use of pre-existing condition restrictions. HIPAA also 
included tax provisions related to health insurance and administrative simplification provisions 
requiring issuance of national standards to facilitate the electronic transmission of health 
information. 

Part C of HIPAA 3 requires “the development of a health information system through the 
establishment of standards and requirements for the electronic transmission of certain health 
information.” 4 Such standards are required to be consistent with the objective of reducing the 
administrative costs of providing and paying for health care. 

These Administrative Simplification provisions require the Secretary of HHS to adopt national 
standards to facilitate the electronic exchange of information for certain financial and 
administrative transactions; select or establish code sets for data elements; protect the privacy of 
individually identifiable health information; maintain administrative, technical, and physical 
safeguards for the security of health information; provide unique health identifiers for individuals, 
employers, health plans, and health care providers; and to adopt procedures for the use of 
electronic signatures. 5 

Health plans, health care clearinghouses, and health care providers who transmit financial and 
administrative transactions electronically are required to use standardized data elements and 
comply with the national standards and regulations promulgated pursuant to Part C. 6 Failure to 
comply with the regulations may subject the covered entity to civil or criminal penalties. 

This report provides an overview of the statutory and regulatory enforcement scheme (under the 
recently issued Final Enforcement Rule) for the Administrative Simplification provisions of 
HIPAA. In addition, it summarizes recent enforcement actions by HHS and DOJ. 



Civil Money Penalties 

Under HIPAA, the Secretary is required to impose a civil monetary penalty (CMP) on any person 
failing to comply with the Administrative Simplification provisions in Part C. 7 The maximum 



1 P.L. 104-191, 110 Stat. 1936 (1996), codified in part at 42 U.S.C. §§ 1320d et seq. 

2 H.Rept. 104-496, at 1, 66-67, reprinted in 1996 U.S.C.C.A.N. 1865, 1865-66. 

3 42 U.S.C. §§ 1320d — 1320d-8. 

4 110 Stat. 2021. 

5 42 U.S.C. §§ 1320d-2(a)-(d). HHS has issued final regulations to adopt national standards for transactions and code 
sets, privacy, security, and employer identifiers. See Administrative Simplification Under HIPAA: National Standards 
for Transactions, Privacy and Security, at http://www.hhs.gov/news/press/2002pres/hipaa.html. 

6 42 U.S.C. § 1320d-4(b) Requires compliance with the regulations within a certain time period by “each person to 
whom the standard or implementation specification [adopted or established under sections 1320d-l and 1320d-2] 
applies.” 

7 42 U.S.C. § 1320d-5(a). 
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civil money penalty (i.e., the fine) for a violation of an administrative simplification provision is 
$100 per violation and up to $25,000 for all violations of an identical requirement or prohibition 
during a calendar year. 8 

A number of procedural requirements that are relevant to the imposition of CMP’s for violations 
of the Administrative Simplification standards 9 are incorporated by reference in HIPAA from the 
general civil money penalty provision in 42 U.S.C. § 1320a-7a. 10 The Secretary may not initiate a 
CMP action “later than six years after the date” of the occurrence that forms the basis for the 
CMP action. 11 The Secretary may initiate a CMP by serving notice in a manner authorized by 
Rule 4 of the Federal Rules of Civil Procedure (Commencement of Action). The Secretary must 
give written notice to the person on whom he wishes to impose a CMP and an opportunity for a 
determination to made “on the record after a hearing at which the person is entitled to be 
represented by counsel, to present witnesses, and to cross-examine witnesses against the 
person.” 12 Judicial review of the Secretary’s determination and the issuance and enforcement of 
subpoenas is available in the United States Court of Appeals. 13 

A CMP may not be imposed with respect to an act that constitutes criminal disclosure of 
individually identifiable information 14 “if it is established to the satisfaction of the Secretary that 
the person liable for the penalty did not know, and by exercising reasonable diligence would not 
have known, that such person violated the provisions”; 13 or if “the failure to comply was due to 
reasonable cause and not to willful neglect” and is corrected within 30 days after learning of the 
violation. 16 The Secretary may provide technical assistance during such period. A CMP may be 
reduced or waived “to the extent that the payment of such penalty would be excessive relative to 
the compliance failure involved.” 17 

Three specific affirmative defenses bar the imposition of civil money penalties: (1) the act is a 
criminal offense under HIPAA’s criminal penalty provision — wrongful disclosure of individually 
identifiable health information; (2) the covered entity did not have actual or constructive 
knowledge of the violation; and (3) the failure to comply was due to reasonable cause and not to 
willful neglect, and the failure to comply was corrected during a 30-day period beginning on the 
first date the person liable for the penalty knew, or by exercising reasonable diligence would have 
known, that the failure to comply occurred. 18 

The Office of Civil Rights (OCR) in HHS is responsible for enforcing the Privacy Rule. 19 OCR 
has said that any civil penalties imposed will only affect covered entities; in other words, a 



*42 U.S.C. § 1320d-5(a)(l). 

9 42 U.S.C. § 1320d-5(a)(2). 

10 Except for the subsections addressing the imposition of civil money penalties for improperly filed claims, payments 
to induce a reduction or limitation of services, and the recovery and use of funds. 

“42 U.S.C. § 1320a-7a(c)(l). 

12 42 U.S.C. § 1320a-7a(c)(2). 

13 42 U.S.C. § 1320a-7a(e). 

14 42 U.S.C. § 1320d-5(b)(l). 

15 42 U.S.C. § 1320d-5(b)(2). 

16 42 U.S.C. § 1320d-5(b)(3). 

17 42 U.S.C. § 1320d-5(b)(4). 

18 42 U.S.C. § 1 320d-5(b)( 1 ) — (4) . 

19 65 Fed. Reg. 82381. 
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member of a workforce who is not a covered entity appears not to be subject to civil sanctions by 
OCR. 

Criminal Penalties 

HIPAA establishes criminal penalties for any person who knowingly and in violation of the 
Administrative Simplification provisions of HIPAA uses a unique health identifier or obtains or 
discloses individually identifiable health information. 20 Enhanced criminal penalties may be 
imposed if the offense is committed under false pretenses, with intent to sell the information or 
reap other personal gain. 

The penalties include (1) a fine of not more than $50,000 and/or imprisonment of not more than 1 
year; (2) if the offense is “under false pretenses,” a fine of not more than $100,000 and/or 
imprisonment of not more than 5 years; and (3) if the offense is with intent to sell, transfer, or use 
individually identifiable health information for commercial advantage, personal gain, or 
malicious harm, a fine of not more than $250,000 and/or imprisonment of not more than 10 
years. 21 These penalties do not affect any other penalties that may be imposed by other federal 
programs. 



Scope of Criminal Enforcement 

In 2005, the Justice Department Office of Legal Counsel (OLC) addressed which persons may be 
prosecuted under HIPAA. 22 Based on its reading of the plain terms of the statute, the privacy 
regulations, and Executive Order 13,141 (To Protect the Privacy of Protected Health Information 
in Oversight Investigations), OLC concluded that only a covered entity could be criminally liable 
“in violation of this part.” 23 Because Part C applies only to covered entities and mandates 



20 42 U.S.C. § 1320d-6(a). Wrongful disclosure of individually identifiable health information 

(a) Offense 

A person who knowingly and in violation of this part — 

(1) uses or causes to be used a unique health identifier; 

(2) obtains individually identifiable health information relating to an individual; or 

(3) discloses individually identifiable health information to another person, 
shall be punished as provided in subsection (b) of this section. 

(b) Penalties 

A person described in subsection (a) of this section shall — 

(1) be fined not more than $50,000, imprisoned not more than 1 year, or both; 

(2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned 
not more than 5 years, or both; and 

(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for 
commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 
10 years, or both. 42 U.S.C. § 1320d-6. 

21 42 U.S.C. § 1320d-6(b). 

22 U.S. Department of Justice, Scope of Criminal Enforcement Under 42 U.S.C. §1320d-6, June 1, 2005 at 
http://www.justice.gov/olc/hipaa_final.htm. 

23 OLC’s opinion limiting direct liability under the HIPAA criminal statute to covered entities was widely criticized. 
Critics believed that such an interpretation would result in weak enforcement of the HIPAA standards. See Robert Pear, 
Riding Limits Prosecutions of People Who Violate Law on Medical Records , New York Times (June 7, 2005); Peter P. 
(continued...) 
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compliance only by covered entities, OLC concluded that direct liability for violations of section 
1320d-6 was limited to covered entities (health plans, health care clearinghouses, those health 
care providers specified in the statute, and Medicare prescription drug card sponsors); and 
depending on the facts of a given case, certain directors, officers, and employees of these entities 
may be liable directly under section 1320d-6, based on general principles of corporate criminal 
liability. 24 Other persons who obtain protected health information in a manner that causes a 
covered entity to release the information in violation of HIPAA, including recipients of protected 
information, may not be liable directly. The liability of persons for conduct that may not be 
prosecuted directly under section 1320d-6 is to be determined by principles of aiding and abetting 
liability under 18 U.S.C. § 2 25 and of conspiracy liability under 18 U.S.C. § 371. 26 OLC also 
noted that such conduct may also be punishable under other federal laws, such as the identity 
theft under 18 U.S.C. § 1028 27 and fraudulent access of a computer under 18 U.S.C. § 1 030. 28 

The Office of Legal Counsel also considered what the “knowingly” element of the offense 
requires and concluded that the “knowingly” element is best read, consistent with its ordinary 
meaning, to require only proof of knowledge of the facts that constitute the offense. 29 



The HIPAA Privacy Rule 

To carry out the requirements of Part C, the HIPAA Privacy Rule, 45 C.F.R. Parts 160 and 164, 
was adopted as the national standard for the protection of individually identifiable health 
information. 30 Enforcement of the Privacy Rule began on April 14, 2003, except that for small 



(...continued) 

Swire, Justice Department Opinion Undermines Protection of Medical Privacy , Center for American Progress (June 7, 
2005), at http://www.americanprogress.org/issues/2005/06/b743281.html; Peter A. Winn, Who Is Subject to Criminal 
Prosecution under HIPAA ?, at 

http://www.abanet.org/health/01_interest_groups/01_media/WinnABA_2005-ll.pdf. 

24 According to OLC under general principles of corporate criminal liability, the conduct of an entity’s agents may be 
imputed to the entity when the agents act within the scope of their employment, and the criminal intent of agents may 
be imputed to the entity when the agents act on its behalf. 

25 § 2. Principals 

(a) Whoever commits an offense against the United States or aids, abets, counsels, commands, induces or procures its 
commission, is punishable as a principal. 

(b) Whoever willfully causes an act to be done which if directly performed by him or another would be an offense 
against the United States, is punishable as a principal. 

26 § 371. Conspiracy to commit offense or to defraud United States 

If two or more persons conspire either to commit any offense against the United States, or to defraud the United States, 
or any agency thereof in any manner or for any purpose, and one or more of such persons do any act to effect the object 
of the conspiracy, each shall be fined under this title or imprisoned not more than five years, or both. 

If, however, the offense, the commission of which is the object of the conspiracy, is a misdemeanor only, the 
punishment for such conspiracy shall not exceed the maximum punishment provided for such misdemeanor. 

27 See CRS Report RL31919, Federal Laws Related to Identity Theft , by Gina Marie Stevens. 

28 See CRS Report 97-1025, Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related 
Federal Criminal Laws, by Charles Doyle. 

29 U.S. Department of Justice, Scope of Criminal Enforcement Under 42 U.S.C. §1320d-6, June 1, 2005, at 
http://www.justice.gov/olc/hipaa_final.htm. 

30 The Privacy Rule went into effect on April 14, 2001. On August 14, 2002, HHS published a modified Privacy Rule. 
67 Fed. Reg. 53181 available at http://www.hhs.gov/ocr/hipaa/finalreg.html. 
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health plans with annual receipts of $5 million or less enforcement began April 2004. The Office 
of Civil Rights (OCR) in HHS is responsible for enforcing the Privacy Rule. 31 The Centers for 
Medicare and Medicaid Services (CMS) has delegated authority to enforce the non-privacy 
HIPAA standards, including the Security Rule. 32 



Covered Entities 

Because of the explicit language of HIPAA, the Privacy Rule applies only to a specified set of 
“covered entities”: (1) health plans, (2) health care clearinghouses, and (3) health care providers 
who transmit information in electronic form in connection with standard transactions governed by 
the Administrative Simplification provisions. Medicare prescription drug sponsors were added 
to the list of “covered entities” in 2003. 34 Excluded from the definition of covered entities are 
employees of covered entities. Business associates of covered entities are subject to certain 
aspects of the Privacy Rule. 35 



Protected Health Information 

The Privacy Rule applies to protected health information that is individually identifiable health 
information “created or received by a health care provider, health plan, or health care 
clearinghouse” that “[rjelates to the ... health or condition of an individual” or to the provision of 
or payment for health care. 36 



Uses and Disclosures 

The HIPAA Privacy Rule 37 governs the use and disclosure of protected health information by 
HIPAA -covered entities (health plans, health care providers, and health care clearinghouses) The 
Rule requires a covered entity to obtain the individual’s written authorization for any use or 
disclosure of protected health information that is not for treatment, payment or health care 
operations or otherwise permitted or required by the Privacy Rule. 38 A covered entity is required 
to disclose protected health information in two situations: (1) to individuals when they request 
access to or an accounting of disclosures of their protected health information; and (2) to HHS for 
compliance review or enforcement action. The HIPAA Privacy Rule permits use and disclosure of 



31 The Secretary of Health and Human Services recently delegated to the Director of OCR the authority to issue 
subpoenas in investigations of alleged violations of the HIPAA Privacy Rule. 72 Fed. Reg. 18,999 (April 16, 2007). 

32 68 Fed. Reg. 60694. 

33 42 U.S.C. §§ 1320d-l(a)(l)-(3) (“Any standard adopted under this part shall apply, in whole or in part, to the 
following persons: (1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any 
health information in electronic form in connection with a transaction referred to in section 1320d-2(a)(l) of this 
title.”). 

34 42 U.S.C. § 1320d-l(a); 45 C.F.R. §§ 164. 104(a)(l)-(3). The Medicare Prescription Drug Improvement and 
Modernization Act of 2003, P.L. 108-173, § 101(a)(2), 117 Stat. 2071, 2144 (2003), codified at 42 U.S.C. § 1395w- 
14(h)(6). 

35 45 C.F.R. § 164.530(e)(2)(ii)(A). 

36 45 C.F.R. § 160.103. 

37 45 C.F.R. § 160 and 164. 

38 45 C.F.R. § 164.508. 
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protected health information, without an individual’s authorization or consent, for 12 national 

39 

priority purposes. 



The HIPAA Security Rule 

Regulations governing security standards under HIPAA require health care covered entities to 
maintain administrative, technical, and physical safeguards to ensure the confidentiality, integrity, 
and availability of electronic protected health information; to protect against any reasonably 
anticipated threats or hazards to the security or integrity of such information, as well as protect 
against any unauthorzed uses or disclosures of such information. 40 The Centers for Medicare and 
Medicaid Services (CMS) has been delegated authority to enforce the HIPAA Security Standard. 41 

The Security Rule applies only to protected health information in electronic form (EPHI), and 
requires a covered entity to ensure the confidentiality, integrity, and availability of all EPHI the 
covered entity creates, receives, maintains, or transmits. Covered entities must protect against any 
reasonably anticipated threats or hazards to the security or integrity of such information, and any 
reasonably anticipated uses or disclosures of such information that are not permitted or required 
under the Privacy Rule; and ensure compliance by its workforce. 42 

The Security Rule allows covered entities to consider such factors as the cost of a particular 
security measure, the size of the covered entity involved, the complexity of the approach, the 
technical infrastructure and other security capabilities in place, and the nature and scope of 
potential security risks. The Rule establishes “standards” in three categories — administrative, 
physical, and technical — that covered entities must meet, accompanied by implementation 
specifications for each standard. 

The Security Rule requires covered entities to enter into agreements with business associates who 
create, receive, maintain or transmit EPHI on their behalf. Under such agreements, the business 
associate must: implement administrative, physical and technical safeguards that reasonably and 
appropriately protect the confidentiality, integrity and availability of the covered entity’s 
electronic protected health information; ensure that its agents and subcontractors to whom it 
provides the information do the same; and report to the covered entity any security incident of 
which it becomes aware. The contract must also authorize termination if the covered entity 
determines that the business associate has violated a material term. A covered entity is not liable 
for violations by the business associate unless the covered entity knew that the business associate 
was engaged in a practice or pattern of activity that violated HIPAA, and the covered entity failed 
to take corrective action. 



39 45 C.F.R. 164.512. 

40 HIPAA Security Standards for the Protection of Electronic Personal Health Information, 45 C.F.R. Part 164. 

41 See generally, Centers for Medicare and Medicaid Services, Security Materials at http://www.cms.hhs.gov/ 
EducationMaterials/04_SecurityMaterials.asp#TopOfPage. 

42 45 C.F.R. § 164.306(a). 
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The HIPAA Administrative Simplification 
Enforcement Rule 

On February 16, 2006, HHS published the Final Enforcement Rule, with both procedural and 
substantive provisions, applicable to all HIPAA administrative simplification standards in Part 
C. 43 The final rule went into effect March 16, 2006. The following discussion summarizes the 
main provisions of the Enforcement rule. 



Voluntary Cooperation 

With respect to ascertaining compliance with and enforcement of the administrative 
simplification provisions, the Secretary of HHS is to seek the voluntary cooperation of covered 
entities. Enforcement and other activities to facilitate compliance include the provision of 
technical assistance, responding to questions, providing interpretations and guidance, responding 
to state requests for preemption determinations, and investigating complaints and conducting 
compliance reviews. 



Complaints to the Secretary 

The Privacy Rule permits any person to file an administrative complaint for violations. 44 It did 
not create a private right of action for individuals to sue to remedy privacy violations. 45 
Individuals must direct their complaints to the HHS Office for Civil Rights (OCR) or to the 
covered entity. 46 An individual may file a compliant with the Secretary if the individual believes 
that the covered entity is not complying with the administrative simplification provisions. 47 
Complaints to the Secretary may be filed only with respect to alleged violations occurring on or 
after April 14, 2003. The Secretary’s investigation may include a review of the policies, 
procedures, or practices of the covered entity, and of the circumstances regarding the alleged acts 
or omissions. 48 



Compliance Reviews 

The Secretary is also authorized to conduct compliance reviews. 49 According to OCR, it is 
conducting Privacy Rule compliance reviews only where compelling and unusual circumstances 
demand. 50 



43 71 Fed. Reg. 8390. 45 CFR § 160.300 etseq. 

44 45 CFR § 160.306. 

45 Several federal district courts have held that HIPAA did not create a privately enforceable right of action, and one 
federal appellate court has also recently upheld that finding. See Acara v. Banks , 470 F.3d 569 (5 th Cir. 2006). 

46 OCR maintains a website with information on the regulation, including guidance at http://www.hhs.gov/ocr/hipaa/. 
HHS also issued a 20-page “Summary of the HIPAA Privacy Rule,” at http://www.hhs.gov/ocr/privacysummary.pdf. 

47 45 CFR § 160.306. 

4S The Secretary has delegated to the Office for Civil Rights (OCR) the authority to receive and investigate complaints 
as they may relate to the Privacy Rule. 65 Fed. Reg. at 82,474, 82,487. 

49 45 CFR § 160.308. 



Congressional Research Service 



7 




http://wikileaks.org/wiki/CRS-RL33989 



Enforcement of the ElIPAA Privacy and Security Rides 



Responsibilities of Covered Entities 

Covered entities are required to provide records and compliance reports to the Secretary to 
determine compliance, and to cooperate with complaint investigations and compliance reviews. 51 



Secretarial Action 

In cases where no violation is found, the Secretary is to inform the covered entity and the 
complainant in writing. In cases where an investigation or compliance review has indicated 
noncompliance, the Secretary is to inform the covered entity and the complainant in writing, and 
attempt to resolve the matter informally. 52 If the Secretary determines that the matter cannot be 
resolved informally, the Secretary may issue written findings documenting the noncompliance. 
The covered entity has 30 days to respond to the Secretary’s findings and must be given an 
opportunity to submit written evidence of any mitigating factors or affirmative defenses, as it 
proceeds to the civil monetary penalty phase. Finally, the Rule includes a provision that prohibits 
covered entities from threatening, intimidating, coercing, discriminating against, or taking any 
other retaliatory action against anyone who complains to HHS or otherwise assists or cooperates 
in the HIPAA enforcement process. 53 Actions must be brought by the Secretary within six years 
from the date of the violation. 



Affirmative Defenses 

Three specific affirmative defenses would bar the imposition of civil money penalties: (1) the 
violation is a criminal offense under HIPAA — wrongful disclosure of individually identifiable 
health information; (2) the covered Entity did not have actual or constructive knowledge of the 
violation; or (3) the failure to comply was due to reasonable cause and not to willful neglect, and 
was corrected during a 30-day period beginning on the first date the person liable for the penalty 
knew, or by exercising reasonable diligence would have known, that the failure to comply 
occurred. 54 With respect to the first two defenses, the Secretary may waive the civil money 
penalty if it would be excessive in relation to the violation. 



(...continued) 

50 U.S. Department of Health and Human Services, Fiscal Year 2008. Office for Civil Rights, Justification of Estimates 
for Appropriations Committees , p. 37, at http://www.hhs.gov/ocr/CJFY2008.pdf. For more recent information on the 
activities of OCR, see. Fiscal Year 2009 Justification of Estimates for Appropriations Committees at 
http://www.hhs.gov/ocr/CJ2009.pdf. 

51 45 CFR § 160.310. 

32 45 CFR § 160.312. Presumably it was pursuant to this authority that HHS entered into the resolution agreement with 
Providence Health & Services. 

53 45 CFR § 160.316. 

54 45 CFR § 160.410. 
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Civil Money Penalties 

The Enforcement rule provides that the “Secretary will impose a civil money penalty upon a 
covered entity if the Secretary determines that the covered entity has violated an administrative 
simplification provision.” 55 

The Secretary is required to provide notice of a proposed penalty to the covered entity, including 
the respondent a right to request a hearing within 90 days before an Administrative Law Judge. 56 
If the respondent fails to request a hearing, the Enforcement Rule states that "the Secretary will 
impose the proposed penalty or any lesser penalty permitted by 42 U.S.C. 1320d-5.” 57 Once a 
penalty has become final, the Secretary is obligated to notify the public, state, and local medical 
and professional organizations; state agencies administering health care programs; utilization and 
quality peer review organizations; and state and local licensing agencies and organizations. 

To determine the number of “violations” to compute the amount of the civil penalty, the Secretary 
is to base the decision upon the nature of the covered entity’s obligation to act or not under the 
violated provision. 58 The Rule also provides that HHS may consider the following aggravating or 
mitigating factors when determining the amount of the penalty: the nature of the violation; the 
circumstances under which the violation occurred; the degree of culpability; any history of prior 
compliance, including violations; the financial condition of the covered entity; and such “other 
matters as justice may require.” 59 The Secretary is authorized to settle any issue or case or to 
compromise any penalty. 



Criminal Referrals 

HHS refers to the DOJ for criminal investigation appropriate cases involving the knowing 
disclosure or obtaining of individually identifiable health information in violation of the Privacy 
Rule. 



Criminal Enforcement Actions 

Criminal convictions have been obtained in three cases involving employees of covered entities 
who improperly obtained protected health information. Two of the HIPAA criminal cases were 
brought after the OLC legal opinion limiting direct liability for violations to covered entities. 60 



55 45 CFR § 160.402. 

56 Provision is also made for an administrative appeal of the ALJ's decision to the HHS Departmental Appeals Board, 
and judicial review of the Board’s final decision. 

57 45 CFR § 160.422. 

58 45 CFR § 160.406. 

59 45 CFR § 160.408. 



60 Atlantic Information Services, Inc., HIPAA Criminal Cases Against Individuals Proceed Despite DOJ Memo, at 
http://www.aishealth.com/Compliance/Hipaa/RPP_HIPAA_Cases_Proceed.html 
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United States v. Gibson 

The first case prosecuted by a U.S. Attorney’s Office under the HIPAA criminal statute involved a 
Seattle phlebotomist employed at a cancer center who was sentenced to 16 months in prison and 3 
years of supervised release in 2004 for stealing credit card information from a cancer patient, 
charging $9,000 worth of merchandise on it, and using that information to get credit cards in the 
defendant’s name. 61 The defendant was ordered to pay restitution in the amount of $15,000. The 
U.S. attorney’s office in Seattle chose to prosecute the identity theft as a criminal HIPAA 
violation because the information had been collected from a patient, 62 instead of prosecuting the 
defendant for identity theft. 63 Specifically, the defendant was charged with and pled guilty to the 
wrongful disclosure of individually identifiable health information for economic gain in violation 
of 42 U.S.C. § 1320d-6(a)(3) and (b)(3). It is notable that the defendant was not a covered entity 
but a member of the covered entities workforce not acting within the scope of his employment. 
The OLC legal opinion was issued after the defendant’s conviction. 



United States v. Ramirez 

In 2006, a Texas woman employed in the office of a doctor who had a contract to provide 
physicals and medical treatment to FBI agents was convicted of selling an FBI agent’s medical 
records for $500. 64 The defendant pled guilty to the federal felony offense of wrongfully using a 
unique health identifier intending to sell individually identifiable health information for personal 
gain, 42 U.S.C. § 1 320d-6(a)( 1) and (b)(3), and of violating 18 U.S.C. §2. 65 She was sentenced to 
six months in jail and four months of home confinement to be followed by a two-year term of 
supervised release. 66 The defendant was also ordered to pay a criminal money penalty of $100. 
Two aggravating factors were found by the court. First, the defendant had sold the confidential 
medical record, and second, the record belonged to a federal agent. 



United States v. Ferrer and Machado 

The defendant was an employee of a medical clinic and improperly obtained Medicare 
information and other patient information for more than 1,100 clinic patients and sold that 
information to the owner of a medical claims business for $5 to $10 each. The information was 



61 United States v. Gibson , 2004 WL 2237585 (No. CR04-0374RSM) (W.D. Wash. 2004). 

62 See ABA Health eSource, Interview with Susan Loitz, Assistant U.S. Attorney (October 2004), at 
http://www.abanet.org/health/esource/vollno2/loitz.html. 

63 See Atlantic Consulting Services, Inc., Synergy Between the Identity Theft Issue And Privacy, Security Grows 
Stronger, at http://www.aishealth.com/Compliance/Hipaa/RPP_identity_patient_ID_theft.html. (Noting that “Identity 
theft is now the number one financial crime in the country, and health care organizations are prime targets because of 
their vast reservoirs of personal data, such as Social Security numbers.”) 

64 United States v. Ramirez, Warrant, Criminal No. M-05-708, McAllen Division (S.D. Tex. 2006). 

65 § 2. Principals 

(a) Whoever commits an offense against the United States or aids, abets, counsels, commands, induces or procures its 
commission, is punishable as a principal. 

(b) Whoever willfully causes an act to be done which if directly performed by him or another would be an offense 
against the United States, is punishable as a principal. 

66 U.S. Department of Justice, Alamo, Texas Woman Convicted of Selling FBI Agent' s Medical Record Sentenced, at 
http://www.usdoj.gov/usao/txs/releases/March2006/060307-Ramirez.pdf. 
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then used by medical providers to fraudulently bill Medicare for services not rendered and 
equipment not supplied, resulting in a $7 million fraud to Medicare and the payment of 
approximately $2.5 million to providers and suppliers. 67 The defendants were charged with 
conspiracy in violation of 18 U.S.C. § 371, with computer fraud in violation of 18 U.S.C. § 
1030(a)(4)and (c)(3)(A), wrongful disclosure of individually identifiable health information in 
violation of 42 U.S.C. § 1320d-6(a)(2) and (b)(3), and aggravated identity theft in violation of 18 
U.S.C. § 1028A(a)(2). Because the clinic -employer was a cooperating witness and the defendant 
was acting outside the scope of her lawful employment, the clinic was not charged. 

In January 2007, Florida defendant Machado pled guilty to conspiracy to commit computer fraud, 
conspiracy to commit identity theft and conspiracy to wrongfully disclose individually 
identifiable health information. 68 The defendant testified against her co-defendant. The defendant 
was sentenced on April 27, 2007, and faced a maximum of 5 years imprisonment, $250,000 fine, 
and possible restitution. Defendant Machado was sentenced to 3 years probation, including 6 
months of home confinement, and also ordered to pay restitution in the amount of $2,505,883. 

Co-defendant Ferrer, owner of the medical claims business, was convicted by a jury of all eight 
counts (one count of conspiring to defraud the United States, one count of computer fraud, one 
count of wrongful disclosure of individually identifiable health information, and five counts of 
aggravated identity theft). 69 Defendant Ferrer was also sentenced on April 27, 2007, and faced a 
maximum statutory term of imprisonment of 5 years on the conspiracy count; a maximum 
statutory term of imprisonment of 5 years on the computer fraud count; a maximum statutory 
term of imprisonment of 10 years on the wrongful disclosure of individually identifiable health 
information count; and a maximum statutory term of imprisonment of 2 years on each count of 
aggravated identity theft. Ferrer was sentenced to 87 months in prison, 3 years of supervised 
release, and ordered to pay restiution in the amount of $2,505,883. According to DOJ, this is the 
first HIPAA violation case that has gone to trial. 70 The two other cases resulted in guilty pleas. 



HIPAA Enforcement Activity 

According to recently released data from HHS, from April 2003, when enforcement of the 
Privacy Rule began, to May 31, 2008, approximately 36,374 health information privacy 
complaints were filed with HHS. 71 In 19,997 cases, HHS did not find enforcement authority 
under HIPAA. 72 HHS found authority to investigate and resolve 6,392 cases. In those cases, HHS 



67 The United States Attorney's Office Southern District of Florida, Cleveland Clinic Employee Pleads Guilty to 
Superseding Fraud Indictment, January 11, 2007, at http://www.usdoj.gov/usao/fls/PressReleases/0701 1 l-03.html. 

68 United States v. Ferrer and Machado, 2006 WL 4005632 (S.D.Fla. 2006). 

69 The United States Attorney's Office Southern District of Florida, Naples Man Convicted In Cleveland Clinic Identity 
Theft and Medicare Fraud Case, January 24, 2007, at http://www.usdoj.gov/usao/fls/PressReleases/070124-02.html. 

70 Id. 

71 U.S. Department of Health and Human Services, Compliance and Enforcement: Privacy Rule Enforcement 
Highlights, at http://www.hhs.gov/ocr/privacy/enforcement/053 12008.html. 

72 Id. Either because of lack of jurisdiction (the violation occurred prior to the effective date of the Rule or the entity 
was not subject to the Privacy Rule); the complaint was untimely, withdrawn, or not pursued by the complainant; or the 
activity being complained of did not violate the Privacy Rule. 
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obtained changes in the investigated entity’s privacy practices or other corrective actions. 73 HHS 
found no violation of the Privacy Rule in 3,156 cases. 74 Almost 6,800 cases remain unresolved. 

According to HHS, the compliance issues most frequently investigated were for impermissible 
use or disclosure of protected health information, lack of adequate safeguards for protected health 
information, lack of patient access to his or her protected health information, the disclosure of 
more information than is minimally necessary to satisfy a particular request for information, and 
failure to have an individual’s authorization for a disclosure that requires one. 75 The covered 
entities most commonly required to take corrective action by HHS, in order of frequency, include 
private practices, general hospitals, outpatient facilities, health plans, and pharmacies. 76 

According to its enforcement website, HHS did not report any civil penalties during the five-year 
period of 2003-2008. 77 HHS reported that more than 435 cases were referred by HHS to DOJ for 
criminal investigation of knowing disclosure or access to protected health information in violation 
of the Privacy Rule. An additional 247 cases were referred to the Centers for Medicare and 
Medicaid Services (CMS) for investigation of cases that involve a potential violation of the 
HIPAA Security Rule. Although information on criminal convictions was not reported by HHS, 
criminal convictions were obtained in three cases involving employees of covered entities who 
improperly obtained protected health information. 77 

Concerns have been raised by some that the HIPAA Privacy Rule is being underenforced by the 
U.S. Departments of Health and Human Services (HHS) and Justice (DOJ). 79 Privacy advocates 
have been critical of HHS’ enforcement of the HIPAA Privacy Rule which has focused on 
technical assistance and voluntary cooperation fo the covered entity with HHS. According to 
HHS, several factors contribute to the number of enforcement actions taken by it for violations of 
the HIPAA Privacy Rule. First is HHS’s preference for voluntary compliance, corrective action, 
and/or resolution agreement. 80 Second, HIPAA applies only to certain groups, defined as covered 
entities, health plans, health care clearinghouses, and health care providers who transmit financial 
and administrative transactions electronically. HIPAA does not cover all types of entities that 
maintain personal health information (e.g., life insurers, employers, workers compensation 
carriers, schools and school districts, state agencies such as child protective service agencies, law 
enforcement agencies, and municipal offices). 81 Third, HIPAA does not cover of all types of 



73 Id. 

74 Id. 

75 See U.S. Department of Health and Human Services, Compliance and Enforcement: Case Examples Organized By 
Issue , at http://www.hhs.gov/ocr/privacy/enforcement/casebyissue.html. 

76 See U.S. Department of Health and Human Services, Compliance and Enforcement: Case Examples Organized By 
Covered Entity, at http://www.hhs.gov/ocr/privacy/enforcement/casebyentity.html. 

77 The U.S. Department of Health and Human Services (HHS) recently announced an enhanced website to make it 
easier to get information about how the Department enforces health information privacy rights and standards. HHS 
Launches New Web site on HIPAA Privacy Compliance and Enforcement, April 20, 2007, at http://www.hhs.gov/ocr/ 
privacy/enforcement/announcement.html. 

78 United States v. Gibson, 2004 WL 2237585 (No. CR04-0374RSM) (W.D. Wash. 2004); United States v. Ramirez, 
Warrant, Criminal No. M-05-708, McAllen Division (S.D. Tex. 2006); United States v. Ferrer and Machado, 2006 WL 
4005632 (S.D.Fla. 2006). 

79 Rob Stein, “Medical Privacy Law Nets No Fines,” The Washington Post, June 5, 2006 at A01. 

80 U.S. Deptartment of Health and Human Services, Compliance and Enforcement: How OCR Enforces the HIPAA 
Privacy Rule, at http://www.hhs.gov/ocr/privacy/enforcement/hipaarule.html. 
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health transactions. Fourth, the statute does not create a private right of action, but rather public 
enforcement by HHS and DOJ. Fifth, the complained-of activity might not be a violation of the 
Privacy Rule. 

In July 2008, the first time since the Privacy Rule went into effect in 2003, HHS required a 
resolution agreement from a covered entity (a contract signed by HHS and the covered entity) for 
violations of the HIPAA Privacy and Security Rules. 82 HHS entered into a resolution agreement 
with Providence Health & Services requiring the covered entity to pay $100,000 and to 
implement a corrective action plan to safeguard identifiable electronic patient information to 
settle potential violations of the HIPAA Privacy and Security Rules. In this case the violations 
involved the loss of backup tapes and theft of laptops containing individually identifiable health 
information. 
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(...continued) 

81 HHS’s approach to the regulation of the privacy of health information “is also significantly informed by the limited 
jurisdiction conferred by HIPAA. In large part, we have the authority to regulate those who create and disclose health 
information, but not many key stakeholders who receive that health information from a covered entity.” 65 Fed. Reg. 
82462, 82471 (2000). 

82 See, Resolution Agreement HHS, Providence Health & Services Agree on Corrective Action Plan to Protect Health 
Information, at http://www.hhs.gov/ocr/privacy/enforcement/agreement.pdf. 
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